Identity and privacy at risk on new internet

Boil it all down and last week's Black Hat conference in Las Vegas discussed just two things - identity and privacy in cyberspace. Both are at risk as the internet enters a period of massive expansion.

Boil it all down and last week's Black Hat conference in Las Vegas discussed just two things - identity and privacy in cyberspace. Both are at risk as the internet enters a period of massive expansion.

IT managers need to deal with these issues in the light of the increasing volume and subtlety of attacks by ill-intentioned people.

Identity and privacy are two sides of the same coin. For the internet to work, everything connected to it requires a unique identifier, known as an internet address or uniform resource locator (URL). This allows network routers, which act as postmasters, to direct messages to the right address.

The internet was designed to be flexible. This makes it possible for people to pretend to own someone else's address and thus to divert traffic elsewhere, or even to take over the address.

In addition, many people want to hide their identities and activities on the internet for both legitimate and illegitimate reasons.

Bob Lentz, the US Department of Defense's chief security officer, says the internet is now a "global commons". This means everyone has a right to access and share in the benefits it can bring.

But it is a fragile ecosystem, he says. Far too many are abusing the right. This abuse includes hacking, criminal acts and borderline legal acts, such as spamming.

Lentz says it is impossible for the Department of Defense, which paid for the original development of the internet, to take back control, clean it up and lock it down to make it safe.

Instead, he proposes a six step plan to increase the resilience of the network. This, he says, will allow people to use the internet safely despite the hazards.


The US Department of Defense's chief security officer has set out a six-step plan to improve the resilience of the internet and make it safe to use despite the hazards posed by spammers, web site hackers, identity thieves, spies and other criminals. 
 1. To strengthen the network's physical and logical underpinnings so that commercial off the shelf applications could run safely
 2. To ensure that software and systems were written and ran securely
 3. To reduce the "attack surface", meaning leaving fewer opportunities to compromise network elements and applications
 4. To reduce anonymity (but not necessarily the privacy) of network elements, including users, so that bad behaviour could be isolated and removed
 5. To build security into the network from scratch
 6. To build ad hoc IT architectures that could serve their purpose and disappear as soon as their mission was over.


IT managers' role is essentially to practice safe computing. Use firewalls, anti-virus and intrusion detection systems. Use the latest software patches. Make sure that networks are properly configured. Delete or change default passwords. Identify properly everyone, and increasingly everything, to the network. Define their resulting privileges. Monitor them for transgressions. Revoke their privileges instantly when they are no longer needed.

This will become even more critical as the internet migrates from the IPv4 addressing scheme to the IPv6 scheme. IPv6 will create a possible 2 to the power 128 IP addresses.

Many of the new addresses will identify machines such as CCTV cameras, mobile phones, package labels, even GPS-tagged cows and killer whales, as machine-to-machine communication moves from closed proprietary networks onto the internet.

Many things will need only temporary addresses. This will create a headache for the people who have to ensure that they are taken out of circulation at the right time and that, despite the huge number of available URLs, that they can be reused and still keep their uniqueness.

The organisation that has to do this and so protect the owners' right to their unique addresses is the Internet Corporation for Assigned Names and Numbers (Icann).

Icann works through licensed national domain name registrars. They are responsible for keeping the register of who owns which domain names, now 200 million, and their associated URLs. The national registrars also resolve disputes and run the domain name servers, the internet's post offices. Nominet is the UK's domain name registrar.

This set-up has worked for 40 years. There are proposals to change it. They would see control of the domain registries and possibly its technical development centralised.

Rod Beckstrom, the new head of Icann, argues that the internet is already too big for centralised control. "If you chop off a spider's leg, the spider loses the leg entirely," he says. "But if you chop off a starfish's leg, it grows a new one, and the chopped off leg grows into a new starfish."

The proposals would hand control to a central body such as the International Telecommunications Union. The ITU has little experience in resolving business issues quickly. This would lead to delays in resolving disputes over who owns a domain name or a URL. It would also create a vast new bureaucracy and raise costs.

Icann uses the starfish model, which the Department of Defense's Lentz approves of, because it provides resilience against a catastrophic central failure. IT managers should therefore resist efforts to centralise control of the internet.

Nominet is presently consulting on the future of the domain name business in the UK. It is looking for comment from CIOs and IT managers that will help it shape the future of the internet here and elsewhere.

Read more on Networking hardware